2

I'm using the Powershell commandlet "Get-Hotfix" to detect vulnerability of a given server. Here is the code:

if (!(get-hotfix -id KB2964444 -ErrorAction SilentlyContinue)) { echo "Missing!" }

This works perfectly, but my concern relates to cumulative updates. If a later cumulative update includes the previous hotfixes, will it be reported as TRUE (the correct response) or Missing!.

If I do a full output of get-hotfix (below), I don't see any cumulative updates (but cumulative ones HAVE been applied), which leads me to think that the individual ones will always be visible.

Source        Description      HotFixID      InstalledBy          InstalledOn
------        -----------      --------      -----------          -----------
WIN-EJ3M07... Update           KB2899189_... NT AUTHORITY\SYSTEM  7/3/2014 12:00:00 AM
WIN-EJ3M07... Security Update  KB2894856     NT AUTHORITY\SYSTEM  9/15/2014 12:00:00 AM
WIN-EJ3M07... Security Update  KB2918614     NT AUTHORITY\SYSTEM  9/15/2014 12:00:00 AM
WIN-EJ3M07... Update           KB2919355     WIN-EJ3M07TUG3E\A... 3/18/2014 12:00:00 AM
WIN-EJ3M07... Update           KB2919442     WIN-EJ3M07TUG3E\A... 3/18/2014 12:00:00 AM
WIN-EJ3M07... Security Update  KB2920189     NT AUTHORITY\SYSTEM  7/7/2014 12:00:00 AM
WIN-EJ3M07... Security Update  KB2931366     NT AUTHORITY\SYSTEM  7/7/2014 12:00:00 AM
WIN-EJ3M07... Update           KB2937220     WIN-EJ3M07TUG3E\A... 3/18/2014 12:00:00 AM
WIN-EJ3M07... Update           KB2938772     WIN-EJ3M07TUG3E\A... 3/18/2014 12:00:00 AM
WIN-EJ3M07... Update           KB2939153     NT AUTHORITY\SYSTEM  7/7/2014 12:00:00 AM
WIN-EJ3M07... Update           KB2939471     WIN-EJ3M07TUG3E\A... 3/18/2014 12:00:00 AM
WIN-EJ3M07... Security Update  KB2939576     NT AUTHORITY\SYSTEM  7/7/2014 12:00:00 AM
WIN-EJ3M07... Hotfix           KB2949621     WIN-EJ3M07TUG3E\A... 3/18/2014 12:00:00 AM
WIN-EJ3M07... Update           KB2950153     NT AUTHORITY\SYSTEM  7/7/2014 12:00:00 AM
WIN-EJ3M07... Update           KB2954879     NT AUTHORITY\SYSTEM  7/3/2014 12:00:00 AM
WIN-EJ3M07... Update           KB2955164     NT AUTHORITY\SYSTEM  7/7/2014 12:00:00 AM
WIN-EJ3M07... Update           KB2956575     NT AUTHORITY\SYSTEM  7/7/2014 12:00:00 AM
WIN-EJ3M07... Security Update  KB2957189     NT AUTHORITY\SYSTEM  7/7/2014 12:00:00 AM
WIN-EJ3M07... Update           KB2958262     NT AUTHORITY\SYSTEM  7/7/2014 12:00:00 AM
WIN-EJ3M07... Hotfix           KB2959626     NT AUTHORITY\SYSTEM  7/9/2014 12:00:00 AM
WIN-EJ3M07... Update           KB2959977     NT AUTHORITY\SYSTEM  7/7/2014 12:00:00 AM
WIN-EJ3M07... Security Update  KB2961072     NT AUTHORITY\SYSTEM  7/15/2014 12:00:00 AM
WIN-EJ3M07... Update           KB2962140     NT AUTHORITY\SYSTEM  7/7/2014 12:00:00 AM
WIN-EJ3M07... Update           KB2962409     NT AUTHORITY\SYSTEM  9/15/2014 12:00:00 AM
WIN-EJ3M07... Security Update  KB2962872     NT AUTHORITY\SYSTEM  7/15/2014 12:00:00 AM
WIN-EJ3M07... Security Update  KB2964718     NT AUTHORITY\SYSTEM  7/7/2014 12:00:00 AM
WIN-EJ3M07... Security Update  KB2964736     NT AUTHORITY\SYSTEM  7/7/2014 12:00:00 AM
WIN-EJ3M07... Update           KB2965142     NT AUTHORITY\SYSTEM  7/7/2014 12:00:00 AM
WIN-EJ3M07... Update           KB2965500     NT AUTHORITY\SYSTEM  7/3/2014 12:00:00 AM
WIN-EJ3M07... Security Update  KB2965788     NT AUTHORITY\SYSTEM  7/3/2014 12:00:00 AM
WIN-EJ3M07... Update           KB2966804     NT AUTHORITY\SYSTEM  7/7/2014 12:00:00 AM
WIN-EJ3M07... Update           KB2967917     NT AUTHORITY\SYSTEM  9/15/2014 12:00:00 AM
WIN-EJ3M07... Update           KB2969339     NT AUTHORITY\SYSTEM  7/3/2014 12:00:00 AM
WIN-EJ3M07... Update           KB2969817     NT AUTHORITY\SYSTEM  7/7/2014 12:00:00 AM
WIN-EJ3M07... Update           KB2971203     NT AUTHORITY\SYSTEM  7/15/2014 12:00:00 AM
WIN-EJ3M07... Update           KB2971239     NT AUTHORITY\SYSTEM  8/13/2014 12:00:00 AM
WIN-EJ3M07... Security Update  KB2971850     NT AUTHORITY\SYSTEM  7/15/2014 12:00:00 AM
WIN-EJ3M07... Update           KB2972094     NT AUTHORITY\SYSTEM  7/9/2014 12:00:00 AM
WIN-EJ3M07... Security Update  KB2972280     NT AUTHORITY\SYSTEM  7/9/2014 12:00:00 AM
WIN-EJ3M07... Security Update  KB2973201     NT AUTHORITY\SYSTEM  7/15/2014 12:00:00 AM
WIN-EJ3M07... Security Update  KB2973351     NT AUTHORITY\SYSTEM  7/15/2014 12:00:00 AM
WIN-EJ3M07... Update           KB2973448     NT AUTHORITY\SYSTEM  9/15/2014 12:00:00 AM
WIN-EJ3M07... Update           KB2974008     NT AUTHORITY\SYSTEM  7/9/2014 12:00:00 AM
WIN-EJ3M07... Update           KB2975061     NT AUTHORITY\SYSTEM  7/9/2014 12:00:00 AM
WIN-EJ3M07... Update           KB2975719     NT AUTHORITY\SYSTEM  10/6/2014 12:00:00 AM
WIN-EJ3M07... Security Update  KB2976627     NT AUTHORITY\SYSTEM  9/15/2014 12:00:00 AM
WIN-EJ3M07... Security Update  KB2976897     NT AUTHORITY\SYSTEM  9/15/2014 12:00:00 AM
WIN-EJ3M07... Security Update  KB2977629     NT AUTHORITY\SYSTEM  9/15/2014 12:00:00 AM
WIN-EJ3M07... Security Update  KB2977765     NT AUTHORITY\SYSTEM  9/15/2014 12:00:00 AM
WIN-EJ3M07... Security Update  KB2978668     NT AUTHORITY\SYSTEM  9/15/2014 12:00:00 AM
WIN-EJ3M07... Update           KB2979500     NT AUTHORITY\SYSTEM  9/15/2014 12:00:00 AM
WIN-EJ3M07... Update           KB2979582     NT AUTHORITY\SYSTEM  10/6/2014 12:00:00 AM
WIN-EJ3M07... Update           KB2980654     NT AUTHORITY\SYSTEM  9/15/2014 12:00:00 AM
WIN-EJ3M07... Update           KB2981580     NT AUTHORITY\SYSTEM  9/15/2014 12:00:00 AM
WIN-EJ3M07... Update           KB2981655     NT AUTHORITY\SYSTEM  9/15/2014 12:00:00 AM
WIN-EJ3M07... Security Update  KB2982791     NT AUTHORITY\SYSTEM  9/15/2014 12:00:00 AM
WIN-EJ3M07... Update           KB2982794     NT AUTHORITY\SYSTEM  8/13/2014 12:00:00 AM
WIN-EJ3M07... Update           KB2987114     NT AUTHORITY\SYSTEM  9/15/2014 12:00:00 AM
WIN-EJ3M07... Security Update  KB2988948     NT AUTHORITY\SYSTEM  9/15/2014 12:00:00 AM
WIN-EJ3M07... Update           KB2989647     NT AUTHORITY\SYSTEM  9/24/2014 12:00:00 AM
WIN-EJ3M07... Update           KB2990532     NT AUTHORITY\SYSTEM  10/6/2014 12:00:00 AM
WIN-EJ3M07... Update           KB2990967     NT AUTHORITY\SYSTEM  9/24/2014 12:00:00 AM
WIN-EJ3M07... Update           KB2993100     NT AUTHORITY\SYSTEM  9/24/2014 12:00:00 AM
WIN-EJ3M07... Update           KB2993651     NT AUTHORITY\SYSTEM  9/15/2014 12:00:00 AM
WIN-EJ3M07... Update           KB2995004     NT AUTHORITY\SYSTEM  10/6/2014 12:00:00 AM
WIN-EJ3M07... Update           KB2998527     NT AUTHORITY\SYSTEM  9/24/2014 12:00:00 AM

EDIT Ultimately, my question is Is there a way to query the individual hotfixes included in a cumulative update? Do the included hotfixes always show (even if a Cumulative Update has been applied)?

Improve this question
3
  • What is your question? Commented Oct 11, 2014 at 3:03
  • @NathanRice: Question is does Get-HotFixes show fixes when packaged in a CU, or just the CU. Follow up question is: Can you drill down into a CU to see it's component fixes? Commented Oct 12, 2014 at 1:20
  • Sorry, I should have clarified. @JohnLBevan is correct. Commented Oct 13, 2014 at 19:27

1 Answer 1

Reset to default
3

Testing this it seems you'll get "Missing"

Checking for: KB2909921 "MS14-010: Cumulative security update for Internet Explorer: February 11, 2014" (http://support.microsoft.com/kb/2909921):

PS C:\Windows\System32> get-hotfix -id KB2909921

Source        Description      HotFixID      InstalledBy          InstalledOn
------        -----------      --------      -----------          -----------
MyMachine     Security Update  KB2909921     NT AUTHORITY\SYSTEM

Checking for: KB2926827 "Web browser control hosting application may lose session information unexpectedly" (included in the above CU; http://support.microsoft.com/kb/2926827)

PS C:\Windows\System32> get-hotfix -id KB2926827
Get-HotFix : This command cannot find hot-fix on the machine 'localhost'. Verify the input and Run your command again.
At line:1 char:11
+ get-hotfix <<<<  -id KB2926827
+ CategoryInfo          : ObjectNotFound: (:) [Get-HotFix], ArgumentException
+ FullyQualifiedErrorId : GetHotFixNoEntriesFound,Microsoft.PowerShell.Commands.GetHotFixCommand

Update

Here's a painful hack which may help. No guarantees, very slow, and only finds KBs which follow the current URL convention / have their HTML formatted the way my scraper assumes. Could be improved by caching the results somewhere / perhaps used to build a reference database. 

function get-hotfixInfo()
{
    process 
    {
        #$url = "http://support2.microsoft.com/kb/{0}" -f ($_.HotFixId -replace "KB(\d*)",'$1')
        $url = $_.Caption           
        try
        {
            $response = (Invoke-Webrequest $url -ea stop)
        } catch {
            $response = @{
                ParsedHTML = @{
                    Title = "{0}`n`nURL: {1}" -f $error[0].Exception,$url 
                }
            }
        }
        $html = $response.ParsedHTML
        $isCU = $html.title -like "*cumulative*update*"
        $kblets = $null
        if($isCU) #this bit can be even slower than the above, hence only run if we believe we have a CU
        {
            $baseUri = $response.BaseResponse.ResponseURI
            $kblets = $html.getElementsByTagName('a') `
                | ? { ($_.parentNode.tagname -eq 'TD') -and ($_.parentNode.nextsibling.tagname = 'TD') } `
                | ? { $_.className -eq 'KBlink' } `
                | % { New-Object -TypeName PSObject -Prop @{
                    Id = "KB{0}" -f $_.innerText
                    Uri = (new-object System.URIBuilder($baseUri.scheme,$baseUri.dnssafehost,$baseUri.port,($_.href -replace "about:/(.*),'$1'"))).ToString()
                    Title = $_.parentNode.nextsibling.innerText
                }}
        }
        New-Object -TypeName PSObject -Prop @{
            Id = $_.HotFixId
            IsCU = $isCU 
            Title = $html.title
            Source = $_.source
            Description = $_.description
            InstalledBy = $_.installedby
            InstalledOn = $_.installedon
            Uri = "http://support2.microsoft.com/kb/{0}" -f ($_.HotFixId -replace "KB(\d*)",'$1')
            KBlets = $kblets
        }
    }
}

#get the first 2 cumulative update hotfixes
get-hotfix | get-hotfixInfo | ?{$_.isCU} | select -first 2 | fl

#get the hotfix id for IE11 CU Feb 2014, and it's component hotfixes
get-hotfix -id kb2909921 | get-hotfixInfo | %{ New-Object -TypeName PSObject -Prop @{Id=$_.Id;Title=$_.Title}; $_.KBlets | %{ New-Object -TypeName PSObject -Prop @{Id=$_.Id;Title=$_.Title}}} | ft -autosize
Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Yes - I think you're right. Is there a technique for finding the hotfixes that a cumulative rolls up?
Sadly no way that I could find (programmatically). You could search technet for all CUs and build a list of hotfixes, but that would be very painful. Someone could build a service to provide that data which your script could query (doesn't seem to exist yet). Ideally MS would list the actual fixes rather than the CUs they're packaged in.
Sigh. This is going to just make maintaining this stuff harder. Oh well.
ps. running $hf = get-hotfix -id kb2909921 | get-hotfixInfo; $hf | %{$_.kblets | %{ get-hotfix -id $_.id }} shows that none of the component hotfixes are listed. Thought it worth checking in case one or two of the fixes in the CU weren't applicable to my machine. Sorry :/

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.